CN106533829A - Bit entropy-based domain name system (DNS) flow identification method - Google Patents

Bit entropy-based domain name system (DNS) flow identification method Download PDF

Info

Publication number
CN106533829A
CN106533829A CN201610970282.7A CN201610970282A CN106533829A CN 106533829 A CN106533829 A CN 106533829A CN 201610970282 A CN201610970282 A CN 201610970282A CN 106533829 A CN106533829 A CN 106533829A
Authority
CN
China
Prior art keywords
bit
byte
log
dns
statistics
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610970282.7A
Other languages
Chinese (zh)
Other versions
CN106533829B (en
Inventor
程光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Southeast University
Original Assignee
Southeast University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Southeast University filed Critical Southeast University
Priority to CN201610970282.7A priority Critical patent/CN106533829B/en
Publication of CN106533829A publication Critical patent/CN106533829A/en
Application granted granted Critical
Publication of CN106533829B publication Critical patent/CN106533829B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/18Protocol analysers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/164Adaptation or special uses of UDP protocol

Abstract

The present invention relates to a bit entropy-based DNS flow identification method. The method is based on the principle that the DNS messages all have the DNS format structures, and the byte bit entropies are closer; the non-DNS messages of which the port numbers are 53 are not the DNS message structures, so that the bit entropy distances are farer, and is characterized by firstly acquiring a part of DNS messages as samples before measurement, calculating the byte bit entropies of the DNS message samples, similarly calculating the byte bit entropies of the detected messages of which the port numbers are 53, comparing the distances of the byte bit entropies of the messages of which the port numbers are 53 and bit entropies of the DNS message samples, if the distances between the bit entropies are detected to be greater than a set threshold value, defining the messages of which the port numbers are 53 as the non-DNS messages, otherwise, defining as the DNS messages. Compared with a conventional method, the bit entropy-based DNS flow identification method of the present invention is fast in calculation speed, uses very little system storage, at the same time, saves the time of processing the network flow.

Description

A kind of DNS method for recognizing flux based on bit entropy
Technical field
The present invention relates to network flow programming method analysis field, more particularly to the knowledge method for distinguishing of DNS flows.
Background technology
Internet communication adopts IP address, user to be difficult to the IP address for remembeing to be made up of numeral, adopts and is easy to user to remember Domain name, DNS (Domain Name System, domain name system) is a kind of skill that domain name is become IP address for the Internet Art, deposits the mapping of substantial amounts of machine name and IP address on each dns server, and dynamic updates, networking client Program inquires about the IP address of destination host all using DNS Protocol to dns server.Query script is client to dns server 53 ports send UDP/TCP messages, dns server processed after receiving, and result is recorded still with UDP/TCP messages Form returns, and has specification to say DNS Protocol during the documents such as RFC2191, RFC2136, RFC2308 for providing are organized in IETF It is bright.Have to open in the fire wall of LAN No. 53 ports of UDP so that main frame of surfing the Net can carry out domain name mapping.
Traffic traverses are realized in order to carry out covert communications between network attack person, is carried out using No. 53 ports of UDP Data communication, to hide the interception of fire wall, carries out passing through for fire wall, to become a kind of main side of current network attack Formula.That is No. 53 port races is not DNS flows, but other types of flow.Main frame and local inside LAN The port of message is set to main frame outside net No. 53 ports of UDP messages, and realization is directly passed through fire wall and communicated, non- Method carries out data transmission.It is the important place for ensureing network security and network performance to the quick identification of No. 53 port flows.
The existing method to DNS flow detection mainly has two methods, and first method is matched using protocol contents, will The message of No. 53 ports for reaching is matched according to the message format of DNS Protocol, if it is possible to normal matching and parsing, then Transmission is DNS flows, else if normally can not match, then it is assumed that be not DNS flows.Second method is to extract DNS streams The feature such as message length, message number, byte number in amount, message flow interval time, is entered using the method for the machine learning such as C4.5 Row classification.
There are following difficulties in prior art:First method is imitated due to being parsed using agreement to each message Rate is very low, has a strong impact on the network filtering performance of fire wall;Change be there occurs because of individual bit or field in addition, it is impossible to Normal to parse, this flow has also been treated as exception and has passed through flow.Second method needs to gather substantial amounts of data on flows in advance, together When to be carried out higher-dimension discharge pattern feature matching and analysis, and in different network environments, its traffic statistics behavior meeting Change, secondly the firewall resources required for sorting algorithm require higher.
Invention thought is DNS flows due to obviously format character, byte bit entropy in DNS flows It is distributed closely, therefore each byte in No. 53 port flows is counted by the present invention, counts each in each byte The distribution of the entropy of bit, then calculates the distance of byte bit entropy, if byte bit entropy distance is fixed more than one in flow The threshold values of justice, then it is assumed that No. 53 port flows are to pass through flow, otherwise it is assumed that the flow is normal DNS flows.Therefore and Existing similar approach is compared, and the characteristics of this method makes full use of DNS format characters stable, algorithm performance is high, can have in resource Configure the method No. 53 port flows are filtered and detected in the fire wall of limit, switch resource.
The content of the invention
Method used in the present invention, using the method for the bit entropy distance in No. 53 port flows for calculating udp protocol, The identification to normal DNS flows and non-DNS flows is realized, it is so as to improve the efficient identification to No. 53 port flows, concrete to invent Content is as follows:
Step one:Arrange DNS to classify threshold values H, collection DNS message sample size m be set, arrange detection source port or Egress mouth is the end time T of 53 message, into step 2;
Step 2:The source port or egress mouth that message is gathered from network traffics is 53 message, is recognized using DNS Protocol Method capture m DNS message, into step 3;
Step 3:Load byte number k of the statistics gatherer to m DNS message, each byte have 8 bits, count this 8 Each bit entropy of bit,
In cumulative this k byte of statistics, the 1st bit and value of each byte is 1 appearance number b1,
1st bit entropy e1=- (b1/k) * log2(b1/k)-(1-b1/k)*log2(1-b1/k),
In cumulative this k byte of statistics, the 2nd bit and value of each byte is 1 appearance number b2,
2nd bit entropy e2=- (b2/k) * log2(b2/k)-(1-b2/k)*log2(1-b2/k),
In cumulative this k byte of statistics, the 3rd bit and value of each byte is 1 appearance number b3,
3rd bit entropy e3=- (b3/k) * log2(b3/k)-(1-b3/k)*log2(1-b3/k),
In cumulative this k byte of statistics, the 4th bit and value of each byte is 1 appearance number b4,
4th bit entropy e4=- (b4/k) * log2(b4/k)-(1-b4/k)*log2(1-b4/k),
In cumulative this k byte of statistics, the 5th bit and value of each byte is 1 appearance number b5,
5th bit entropy e5=- (b5/k) * log2(b5/k)-(1-b5/k)*log2(1-b5/k),
In cumulative this k byte of statistics, the 6th bit and value of each byte is 1 appearance number b6,
6th bit entropy e6=- (b6/k) * log2(b6/k)-(1-b6/k)*log2(1-b6/k),
In cumulative this k byte of statistics, the 7th bit and value of each byte is 1 appearance number b7,
7th bit entropy e7=- (b7/k) * log2(b7/k)-(1-b7/k)*log2(1-b7/k),
In cumulative this k byte of statistics, the 8th bit and value of each byte is 1 appearance number b8,
8th bit entropy e8=- (b8/k) * log2(b8/k)-(1-b8/k)*log2(1-b8/k),
Wherein log2It is the logarithm with 2 as bottom,
Into step 4;
Step 4:Gather a pending source port or egress mouth be 53 message, into step 5;
Step 5:Statistics gatherer to the message load byte number h that source port or egress mouth are 53,
In cumulative this h byte of statistics, the 1st bit and value of each byte is 1 appearance number p1,
1st bit entropy f1=- (p1/h) * log2(p1/h)-(1-p1/h)*log2(1-p1/h),
In cumulative this k byte of statistics, the 2nd bit and value of each byte is 1 appearance number p2,
2nd bit entropy f2=- (p2/h) * log2(p2/h)-(1-p2/h)*log2(1-p2/h),
In cumulative this h byte of statistics, the 3rd bit and value of each byte is 1 appearance number p3,
3rd bit entropy f3=- (p3/h) * log2(p3/h)-(1-p3/h)*log2(1-p3/h),
In cumulative this h byte of statistics, the 4th bit and value of each byte is 1 appearance number p4,
4th bit entropy f4=- (p4/h) * log2(p4/h)-(1-p4/h)*log2(1-p4/h),
In cumulative this h byte of statistics, the 5th bit and value of each byte is 1 appearance number p5,
5th bit entropy f5=- (p5/h) * log2(p5/h)-(1-p5/h)*log2(1-p5/h),
In cumulative this h byte of statistics, the 6th bit and value of each byte is 1 appearance number p6,
6th bit entropy f6=- (p6/h) * log2(p6/h)-(1-p6/h)*log2(1-p6/h),
In cumulative this h byte of statistics, the 7th bit and value of each byte is 1 appearance number p7,
7th bit entropy f7=- (p7/h) * log2(p7/h)-(1-p7/h)*log2(1-p7/h),
In cumulative this h byte of statistics, the 8th bit and value of each byte is 1 appearance number p8,
8th bit entropy f8=- (p8/h) * log2(p8/h)-(1-p8/h)*log2(1-p8/h),
Into step 6;
Step 6:Calculate source port to be detected or egress mouth be bit entropy between 53 message and DNS messages away from From a,
Aa=(e1-f1)2+(e2-f2)2+(e3-f3)2+(e4-f4)2+(e5-f5)2+(e6-f6)2+(e7-f7)2+(e8- f8)2,
A=sqrt (aa/8),
Wherein, aa represents intermediate value,
Into step 7;
Step 7:Compared apart from a and DNS classification threshold values H according to bit entropy, if a is less than H, the source being detected It is DNS messages that mouth or egress mouth are 53 messages, and No. 53 otherwise detected port messages are not DNS messages, into step 8;
Step 8:If time of measuring is less than end time T, otherwise return to step four, ending method now.
Compared with prior art, collecting part DNS messages first, as sample, calculate DNS reports to the present invention before measuring The bit entropy of literary sample byte, then to No. 53 port messages for detecting, calculates its byte bit entropy, compares No. 53 port messages Byte bit entropy and DNS message bit entropys distance judging whether detected No. 53 port message is DNS messages;This It is all that, with DNS format structures, therefore its byte bit entropy is also relatively that the principle of bright employing is DNS messages, and No. 53 ends Mouthful non-DNS messages are not that, using DNS message structure forms, therefore the bit entropy of non-DNS messages and DNS messages is apart from distant; The bit entropy of message of the present invention by No. 53 ports of simple computation, one side calculating speed are fast, on the other hand using fire wall System storage it is also considerably less, save fire wall process network traffics time, improve system detectio process efficiency;Its Secondary to compare with existing machine learning method, existing method is surveyed as a result of message time period, message mean size etc. Degree needs to measure one group of No. 53 port message and can just be detected, and this method can be examined to No. 53 port messages Survey, there is provided the real-time of this method detection.
Description of the drawings
Fig. 1 is the flow chart of the present invention;
Fig. 2 is embodiment of the present invention one;
Fig. 3 is embodiment of the present invention two.
Specific embodiment
Technical scheme of the present invention is described in further detail with specific embodiment below in conjunction with the accompanying drawings, so that this The technical staff in field can be better understood from the present invention and can be practiced, but illustrated embodiment is not as the limit to the present invention It is fixed.
Fig. 2 is embodiment of the present invention one, specifically includes following steps:
Step 201:One DNS classification threshold values H is set, collection DNS message sample size m is set, detection source port is set Or egress mouth is the end time T of 53 message, into step 202;
Step 202:The source port or egress mouth that message is gathered from network traffics is 53 message, is known using DNS Protocol Method for distinguishing captures m DNS message, DNS is assisted during the documents such as RFC2191, RFC2136, RFC2308 for providing are organized in IETF View has specification to illustrate, the content to producing message in DNS Protocol interaction is analyzed, and has DNS Protocol to assist different from other The pattern feature of view, determines the affiliated protocol type of flow according to the distinctive pattern feature of DNS Protocol, based on DNS content loads Protocol identification mainly has using fixed character string and regular expression come presentation protocol feature two ways, such as DNS Protocol definition Each DNS message has DNS stems of 12 bytes, the mark of 2 bytes, the mark of 2 bytes, the problem number of 2 bytes, The resource record number of 2 bytes, the authorization resources record number of 2 bytes, extra resource record number of 2 bytes etc., according to DNS The definition of agreement, the content of the content and DNS Protocol definition to No. 53 port messages are matched, if meeting DNS Protocol institute The form of regulation, then can recognize that No. 53 messages are DNS messages, and all No. 53 port flows to gathering are identified, and grab M DNS message is played,
Into step 203;
Step 203:Load byte number k of the statistics gatherer to m DNS message, each byte have 8 bits, count this 8 Each bit entropy of bit,
In cumulative this k byte of statistics, the 1st bit and value of each byte is 1 appearance number b1,
1st bit entropy e1=- (b1/k) * log2(b1/k)-(1-b1/k)*log2(1-b1/k),
In cumulative this k byte of statistics, the 2nd bit and value of each byte is 1 appearance number b2,
2nd bit entropy e2=- (b2/k) * log2(b2/k)-(1-b2/k)*log2(1-b2/k),
In cumulative this k byte of statistics, the 3rd bit and value of each byte is 1 appearance number b3,
3rd bit entropy e3=- (b3/k) * log2(b3/k)-(1-b3/k)*log2(1-b3/k),
In cumulative this k byte of statistics, the 4th bit and value of each byte is 1 appearance number b4,
4th bit entropy e4=- (b4/k) * log2(b4/k)-(1-b4/k)*log2(1-b4/k),
In cumulative this k byte of statistics, the 5th bit and value of each byte is 1 appearance number b5,
5th bit entropy e5=- (b5/k) * log2(b5/k)-(1-b5/k)*log2(1-b5/k),
In cumulative this k byte of statistics, the 6th bit and value of each byte is 1 appearance number b6,
6th bit entropy e6=- (b6/k) * log2(b6/k)-(1-b6/k)*log2(1-b6/k),
In cumulative this k byte of statistics, the 7th bit and value of each byte is 1 appearance number b7,
7th bit entropy e7=- (b7/k) * log2(b7/k)-(1-b7/k)*log2(1-b7/k),
In cumulative this k byte of statistics, the 8th bit and value of each byte is 1 appearance number b8,
8th bit entropy e8=- (b8/k) * log2(b8/k)-(1-b8/k)*log2(1-b8/k),
Wherein log2It is the logarithm with 2 as bottom,
Into step 204;
Step 204:Gather a pending source port or egress mouth be 53 message, into step 205;
Step 205:Statistics gatherer to the message load byte number h that source port or egress mouth are 53,
In cumulative this h byte of statistics, the 1st bit and value of each byte is 1 appearance number p1,
1st bit entropy f1=- (p1/h) * log2(p1/h)-(1-p1/h)*log2(1-p1/h),
In cumulative this k byte of statistics, the 2nd bit and value of each byte is 1 appearance number p2,
2nd bit entropy f2=- (p2/h) * log2(p2/h)-(1-p2/h)*log2(1-p2/h),
In cumulative this h byte of statistics, the 3rd bit and value of each byte is 1 appearance number p3,
3rd bit entropy f3=- (p3/h) * log2(p3/h)-(1-p3/h)*log2(1-p3/h),
In cumulative this h byte of statistics, the 4th bit and value of each byte is 1 appearance number p4,
4th bit entropy f4=- (p4/h) * log2(p4/h)-(1-p4/h)*log2(1-p4/h),
In cumulative this h byte of statistics, the 5th bit and value of each byte is 1 appearance number p5,
5th bit entropy f5=- (p5/h) * log2(p5/h)-(1-p5/h)*log2(1-p5/h),
In cumulative this h byte of statistics, the 6th bit and value of each byte is 1 appearance number p6,
6th bit entropy f6=- (p6/h) * log2(p6/h)-(1-p6/h)*log2(1-p6/h),
In cumulative this h byte of statistics, the 7th bit and value of each byte is 1 appearance number p7,
7th bit entropy f7=- (p7/h) * log2(p7/h)-(1-p7/h)*log2(1-p7/h),
In cumulative this h byte of statistics, the 8th bit and value of each byte is 1 appearance number p8,
8th bit entropy f8=- (p8/h) * log2(p8/h)-(1-p8/h)*log2(1-p8/h),
Into step 206;
Step 206:Calculate source port to be detected or egress mouth be bit entropy between 53 message and DNS messages away from From a,
Aa=(e1-f1)2+(e2-f2)2+(e3-f3)2+(e4-f4)2+(e5-f5)2+(e6-f6)2+(e7-f7)2+(e8- f8)2,
A=sqrt (aa/8),
Wherein, aa represents intermediate value,
Into step 207;
Step 207:Compared apart from a and DNS classification threshold values H according to bit entropy, if a is less than H, the source being detected It is DNS messages that mouth or egress mouth are 53 messages, and No. 53 otherwise detected port messages are not DNS messages, into step 208;
Step 208:If time of measuring is less than end time T, otherwise return to step four, ending method now.
Fig. 3 is embodiment of the present invention two, specifically includes following steps:
Step 301:One DNS classification threshold values H is set, and H spans are that, between 0 to 1, arranging H in the present example is 0.1, collection DNS messages sample size 1 is set, the end time T for arranging the message for detecting that source port or egress mouth are 53 is 3s, Into step 302;
Step 302:The source port or egress mouth that message is gathered from network traffics is 53 message, is known using DNS Protocol Method for distinguishing captures 1 DNS message, into step 303;
Step 303:The load byte number k of statistics gatherer to 1 DNS message is 186, and each byte has 8 bits, statistics Each bit entropy of this 8 bits,
In cumulative this 186 bytes of statistics, the 1st bit and value of each byte is 1 appearance number 27,
1st bit entropy e1=- (27/186) * log2(27/186)-(1-27/186)*log2(1-27/186)= 0.597,
In cumulative this 186 bytes of statistics, the 2nd bit and value of each byte is 1 appearance number 61,
2nd bit entropy e2=- (61/186) * log2(61/186)-(1-61/186)*log2(1-61/186)= 0.913,
In cumulative this 186 bytes of statistics, the 3rd bit and value of each byte is 1 appearance number 67,
3rd bit entropy e3=- (67/186) * log2(67/186)-(1-67/186)*log2(1-67/186)= 0.943,
In cumulative this 186 bytes of statistics, the 4th bit and value of each byte is 1 appearance number 34,
4th bit entropy e4=- (34/186) * log2(34/186)-(1-34/186)*log2(1-34/186)= 0.686,
In cumulative this 186 bytes of statistics, the 5th bit and value of each byte is 1 appearance number 47,
5th bit entropy e5=- (47/186) * log2(47/186)-(1-47/186)*log2(1-47/186)= 0.816,
In cumulative this 186 bytes of statistics, the 6th bit and value of each byte is 1 appearance number 43,
6th bit entropy e6=- (43/186) * log2(43/186)-(1-43/186)*log2(1-43/186)= 0.780,
In cumulative this 186 bytes of statistics, the 7th bit and value of each byte is 1 appearance number 56,
7th bit entropy e7=- (56/186) * log2(56/186)-(1-56/186)*log2(1-56/186)= 0.883,
In cumulative this 186 bytes of statistics, the 8th bit and value of each byte is 1 appearance number 68,
8th bit entropy e8=- (68/186) * log2(68/186)-(1-68/186)*log2(1-68/186)= 0.947,
Wherein log2 be 2 be bottom logarithm,
Into step 304;
Step 304:Gather a pending source port or egress mouth be 53 message, into step 305;
Step 305:Statistics gatherer to the message load byte number 110 that source port or egress mouth are 53,
In cumulative this 110 bytes of statistics, the 1st bit and value of each byte is 1 appearance number 56,
1st bit entropy
F1=- (56/110) * log2(56/110)-(1-56/110)*log2(1-56/110)=0.999,
In cumulative this 110 bytes of statistics, the 2nd bit and value of each byte is 1 appearance number 49,
2nd bit entropy
F2=- (49/110) * log2(49/110)-(1-49/110)*log2(1-49/110)=0.991,
In cumulative this 110 bytes of statistics, the 3rd bit and value of each byte is 1 appearance number 50,
3rd bit entropy
F3=- (50/110) * log2(50/110)-(1-50/110)*log2(1-50/110)=0.994,
In cumulative this 110 bytes of statistics, the 4th bit and value of each byte is 1 appearance number 44,
4th bit entropy
F4=- (44/110) * log2(44/110)-(1-44/110)*log2(1-44/110)=0.971,
In cumulative this 110 bytes of statistics, the 5th bit and value of each byte is 1 appearance number 46,
5th bit entropy
F5=- (46/110) * log2(46/110)-(1-46/110)*log2(1-46/110)=0.981,
In cumulative this 110 bytes of statistics, the 6th bit and value of each byte is 1 appearance number 52,
6th bit entropy
F6=- (52/110) * log2(52/110)-(1-52/110)*log2(1-52/110)=0.998,
In cumulative this 110 bytes of statistics, the 7th bit and value of each byte is 1 appearance number 55,
7th bit entropy
F7=- (55/110) * log2(55/110)-(1-55/110)*log2(1-55/110)=1,
In cumulative this 110 bytes of statistics, the 8th bit and value of each byte is 1 appearance number 57,
8th bit entropy
F8=- (57/110) * log2(57/110)-(1-57/110)*log2(1-57/110)=0.999,
Into step 306;
Step 306:Source port to be detected or egress mouth are the bit entropy distances between 53 message and DNS messages A,
Aa=(e1-f1)2+(e2-f2)2+(e3-f3)2+(e4-f4)2+(e5-f5)2+(e6-f6)2+(e7-f7)2+(e8- f8)2
=(0.597-0.999)2+(0.913-0.991)2+(0.943-0.994)2+(0.686-0.971)2+(0.816- 0.981)2+(0.780-0.998)2+(0.883-1)2+(0.947-0.999)2=0.343
A=sqrt (aa/8)=sqrt (0.343/8)=0.207,
Wherein, aa represents intermediate value,
Into step 307;
Step 307:Compared equal to 0.207 and DNS classification threshold values H0.1 apart from a according to bit entropy, a is more than H, then tested It is not DNS messages that the source port or egress mouth of survey is 53 message, into step 308;
Step 308:If time of measuring 2s is less than end time 3s now, into step 309;
Step 309:Gather a pending source port or egress mouth be 53 message, into step 310;
Step 310:Statistics gatherer to the message load byte number 30 that source port or egress mouth are 53,
In cumulative this 30 bytes of statistics, the 1st bit and value of each byte is 1 appearance number 3,
1st bit entropy
F1=- (3/30) * log2(3/30)-(1-3/30)*log2(1-3/30)=0.469,
In cumulative this 30 bytes of statistics, the 2nd bit and value of each byte is 1 appearance number 9,
2nd bit entropy
F2=- (9/30) * log2(9/30)-(1-9/30)*log2(1-9/30)=0.881,
In cumulative this 30 bytes of statistics, the 3rd bit and value of each byte is 1 appearance number 12,
3rd bit entropy
F3=- (12/30) * log2(12/30)-(1-12/30)*log2(1-12/30)=0.971,
In cumulative this 30 bytes of statistics, the 4th bit and value of each byte is 1 appearance number 4,
4th bit entropy
F4=- (4/30) * log2(4/30)-(1-4/30)*log2(1-4/30)=0.567,
In cumulative this 30 bytes of statistics, the 5th bit and value of each byte is 1 appearance number 6,
5th bit entropy
F5=- (6/30) * log2(6/30)-(1-6/30)*log2(1-6/30)=0.722,
In cumulative this 30 bytes of statistics, the 6th bit and value of each byte is 1 appearance number 5,
6th bit entropy
F6=- (5/30) * log2(5/30)-(1-5/30)*log2(1-5/30)=0.650,
In cumulative this 30 bytes of statistics, the 7th bit and value of each byte is 1 appearance number 9,
7th bit entropy
F7=- (9/30) * log2(9/30)-(1-9/30)*log2(1-9/30)=0.881,
In cumulative this 30 bytes of statistics, the 8th bit and value of each byte is 1 appearance number 12,
8th bit entropy
F8=- (12/30) * log2(12/30)-(1-12/30)*log2(1-12/30)=0.971,
Into step 311;
Step 311:The bit entropy between No. 53 port messages and DNS messages of detection is calculated apart from a,
Aa=(e 1-f1)2+(e2-f2)2+(e3-f3)2+(e4-f4)2+(e5-f5)2+(e6-f6)2+(e7-f7)2+ (e8-f8) 2=(0.597-0.469)2+(0.913-0.881)2+(0.943-0.971)2+(0.686-0.567)2+(0.816- 0.722)2+(0.780-0.650)2+(0.883-0.881)2+(0.947-0.971)2=0.059
A=sqrt (aa/8)=sqrt (0.059/8)=0.086,
Wherein, aa represents intermediate value,
Into step 312;
Step 312:Compared equal to the value 0.1 of 0.086 and DNS classification threshold values H apart from a according to bit entropy, 0.086 is less than 0.1, then it is DNS messages that the source port or egress mouth being detected is 53 message, into step 313;
Step 313:Present time of measuring 4s, more than end time 3s, ending method.

Claims (1)

1. a kind of DNS method for recognizing flux based on bit entropy, it is characterised in that
Step one:One DNS classification threshold values H is set, collection DNS message sample size m is set, detection source port or egress is set Mouth is the end time T of 53 message, into step 2;
Step 2:The source port or egress mouth that message is gathered from network traffics is 53 message, using the side of DNS Protocol identification Method captures m DNS message, into step 3;
Step 3:Load byte number k of the statistics gatherer to m DNS message, each byte have 8 bits, count this 8 bits Each bit entropy,
In cumulative this k byte of statistics, the 1st bit and value of each byte is 1 appearance number b1,
1st bit entropy e1=- (b1/k) * log2(b1/k)-(1-b1/k)*log2(1-b1/k),
In cumulative this k byte of statistics, the 2nd bit and value of each byte is 1 appearance number b2,
2nd bit entropy e2=- (b2/k) * log2(b2/k)-(1-b2/k)*log2(1-b2/k),
In cumulative this k byte of statistics, the 3rd bit and value of each byte is 1 appearance number b3,
3rd bit entropy e3=- (b3/k) * log2(b3/k)-(1-b3/k)*log2(1-b3/k),
In cumulative this k byte of statistics, the 4th bit and value of each byte is 1 appearance number b4,
4th bit entropy e4=- (b4/k) * log2(b4/k)-(1-b4/k)*log2(1-b4/k),
In cumulative this k byte of statistics, the 5th bit and value of each byte is 1 appearance number b5,
5th bit entropy e5=- (b5/k) * log2(b5/k)-(1-b5/k)*log2(1-b5/k),
In cumulative this k byte of statistics, the 6th bit and value of each byte is 1 appearance number b6,
6th bit entropy e6=- (b6/k) * log2(b6/k)-(1-b6/k)*log2(1-b6/k),
In cumulative this k byte of statistics, the 7th bit and value of each byte is 1 appearance number b7,
7th bit entropy e7=- (b7/k) * log2(b7/k)-(1-b7/k)*log2(1-b7/k),
In cumulative this k byte of statistics, the 8th bit and value of each byte is 1 appearance number b8,
8th bit entropy e8=- (b8/k) * log2(b8/k)-(1-b8/k)*log2(1-b8/k),
Wherein log2It is the logarithm with 2 as bottom,
Into step 4;
Step 4:Gather a pending source port or egress mouth be 53 message, into step 5;
Step 5:Statistics gatherer to the message load byte number h that source port or egress mouth are 53,
In cumulative this h byte of statistics, the 1st bit and value of each byte is 1 appearance number p1,
1st bit entropy f1=- (p1/h) * log2(p1/h)-(1-p1/h)*log2(1-p1/h),
In cumulative this k byte of statistics, the 2nd bit and value of each byte is 1 appearance number p2,
2nd bit entropy f2=- (p2/h) * log2(p2/h)-(1-p2/h)*log2(1-p2/h),
In cumulative this h byte of statistics, the 3rd bit and value of each byte is 1 appearance number p3,
3rd bit entropy f3=- (p3/h) * log2(p3/h)-(1-p3/h)*log2(1-p3/h),
In cumulative this h byte of statistics, the 4th bit and value of each byte is 1 appearance number p4,
4th bit entropy f4=- (p4/h) * log2(p4/h)-(1-p4/h)*log2(1-p4/h),
In cumulative this h byte of statistics, the 5th bit and value of each byte is 1 appearance number p5,
5th bit entropy f5=- (p5/h) * log2(p5/h)-(1-p5/h)*log2(1-p5/h),
In cumulative this h byte of statistics, the 6th bit and value of each byte is 1 appearance number p6,
6th bit entropy f6=- (p6/h) * log2(p6/h)-(1-p6/h)*log2(1-p6/h),
In cumulative this h byte of statistics, the 7th bit and value of each byte is 1 appearance number p7,
7th bit entropy f7=- (p7/h) * log2(p7/h)-(1-p7/h)*log2(1-p7/h),
In cumulative this h byte of statistics, the 8th bit and value of each byte is 1 appearance number p8,
8th bit entropy f8=- (p8/h) * log2(p8/h)-(1-p8/h)*log2(1-p8/h),
Into step 6;
Step 6:Calculate source port to be detected or egress mouth be bit entropy between 53 message and DNS messages apart from a,
Aa=(e1-f1)2+(e2-f2)2+(e3-f3)2+(e4-f4)2+(e5-f5)2+(e6-f6)2+(e7-f7)2+(e8-f8)2,
A=sqrt (aa/8),
Wherein, aa represents intermediate value,
Into step 7;
Step 7:According to bit entropy apart from a and DNS classification threshold values H compare, if a be less than H, be detected source port or It is DNS messages that egress mouth is 53 message, and No. 53 otherwise detected port messages are not DNS messages, into step 8;
Step 8:If time of measuring is less than end time T, otherwise return to step four, ending method now.
CN201610970282.7A 2016-11-04 2016-11-04 A kind of DNS method for recognizing flux based on bit entropy Active CN106533829B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610970282.7A CN106533829B (en) 2016-11-04 2016-11-04 A kind of DNS method for recognizing flux based on bit entropy

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610970282.7A CN106533829B (en) 2016-11-04 2016-11-04 A kind of DNS method for recognizing flux based on bit entropy

Publications (2)

Publication Number Publication Date
CN106533829A true CN106533829A (en) 2017-03-22
CN106533829B CN106533829B (en) 2019-04-30

Family

ID=58327098

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610970282.7A Active CN106533829B (en) 2016-11-04 2016-11-04 A kind of DNS method for recognizing flux based on bit entropy

Country Status (1)

Country Link
CN (1) CN106533829B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101505219A (en) * 2009-03-18 2009-08-12 杭州华三通信技术有限公司 Method and protecting apparatus for defending denial of service attack
CN101547129A (en) * 2009-05-05 2009-09-30 中国科学院计算技术研究所 Method and system for detecting distributed denial of service attack
CN101854404A (en) * 2010-06-04 2010-10-06 中国科学院计算机网络信息中心 Method and device for detecting anomaly of domain name system
CN102577303A (en) * 2009-04-20 2012-07-11 思杰系统有限公司 Systems and methods for generating a dns query to improve resistance against a dns attack
CN103905456A (en) * 2014-04-08 2014-07-02 上海交通大学 DNS inverse solution attack detecting system and method based on entropy model
US9363282B1 (en) * 2014-01-28 2016-06-07 Infoblox Inc. Platforms for implementing an analytics framework for DNS security
CN105897714A (en) * 2016-04-11 2016-08-24 天津大学 Botnet detection method based on DNS (Domain Name System) flow characteristics

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101505219A (en) * 2009-03-18 2009-08-12 杭州华三通信技术有限公司 Method and protecting apparatus for defending denial of service attack
CN102577303A (en) * 2009-04-20 2012-07-11 思杰系统有限公司 Systems and methods for generating a dns query to improve resistance against a dns attack
CN101547129A (en) * 2009-05-05 2009-09-30 中国科学院计算技术研究所 Method and system for detecting distributed denial of service attack
CN101854404A (en) * 2010-06-04 2010-10-06 中国科学院计算机网络信息中心 Method and device for detecting anomaly of domain name system
US9363282B1 (en) * 2014-01-28 2016-06-07 Infoblox Inc. Platforms for implementing an analytics framework for DNS security
US20160308833A1 (en) * 2014-01-28 2016-10-20 Infoblox Inc. Platforms for implementing an analytics framework for dns security
CN103905456A (en) * 2014-04-08 2014-07-02 上海交通大学 DNS inverse solution attack detecting system and method based on entropy model
CN105897714A (en) * 2016-04-11 2016-08-24 天津大学 Botnet detection method based on DNS (Domain Name System) flow characteristics

Also Published As

Publication number Publication date
CN106533829B (en) 2019-04-30

Similar Documents

Publication Publication Date Title
CN107483455B (en) Flow-based network node anomaly detection method and system
CN102307123B (en) NAT (Network Address Translation) flow identification method based on transmission layer flow characteristic
CN108282497B (en) DDoS attack detection method for SDN control plane
CN102315974B (en) Stratification characteristic analysis-based method and apparatus thereof for on-line identification for TCP, UDP flows
CN101645806B (en) Network flow classifying system and network flow classifying method combining DPI and DFI
CN104580173B (en) A kind of SDN abnormality detections are with stopping method and system
CN101562534B (en) Network behavior analytic system
CN106330584B (en) A kind of recognition methods of Business Stream and identification device
CN101729389B (en) Flow control device and method based on flow prediction and trusted network address learning
CN107370752B (en) Efficient remote control Trojan detection method
CN105577679A (en) Method for detecting anomaly traffic based on feature selection and density peak clustering
CN106657141A (en) Android malware real-time detection method based on network flow analysis
CN107404400A (en) A kind of network situation awareness implementation method and device
CN111817982A (en) Encrypted flow identification method for category imbalance
CN102271068A (en) Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack
CN110611640A (en) DNS protocol hidden channel detection method based on random forest
CN110177115A (en) LDoS attack detection method based on multi-feature fusion
CN111600876B (en) Slow denial of service attack detection method based on MFOPA algorithm
CN111294342A (en) Method and system for detecting DDos attack in software defined network
CN104021348B (en) Real-time detection method and system of dormant P2P (Peer to Peer) programs
CN112995202A (en) SDN-based DDoS attack detection method
CN109450957A (en) A kind of low speed Denial of Service attack detection method based on cloud model
CN105959321A (en) Passive identification method and apparatus for network remote host operation system
CN107209834A (en) Malicious communication pattern extraction apparatus, malicious communication schema extraction system, malicious communication schema extraction method and malicious communication schema extraction program
CN109120733A (en) A kind of detection method communicated using DNS

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant